From 66e78c3ec4e524a31a4c12f4dbe682ccbbc0025d Mon Sep 17 00:00:00 2001
From: eal <eal@waifu.club>
Date: Sat, 18 Nov 2017 14:43:41 +0200
Subject: [PATCH 1/3] Escape HTML instead of discarding it.
---
lib/pleroma/web/common_api/utils.ex | 3 ++-
test/web/twitter_api/twitter_api_test.exs | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 83a656011..21b6226b1 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -58,7 +58,8 @@ defmodule Pleroma.Web.CommonAPI.Utils do
end
def format_input(text, mentions, tags) do
- HtmlSanitizeEx.strip_tags(text)
+ Phoenix.HTML.html_escape(text)
+ |> elem(1)
|> Formatter.linkify
|> String.replace("\n", "<br>\n")
|> add_user_links(mentions)
diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs
index 994cc8f90..8698686ad 100644
--- a/test/web/twitter_api/twitter_api_test.exs
+++ b/test/web/twitter_api/twitter_api_test.exs
@@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
{ :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
- assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
+ assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<script></script><br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
assert get_in(activity.data, ["object", "type"]) == "Note"
assert get_in(activity.data, ["object", "actor"]) == user.ap_id
assert get_in(activity.data, ["actor"]) == user.ap_id
From fb118b2978686a44a15534b638ab7887fb38c03d Mon Sep 17 00:00:00 2001
From: eal <eal@waifu.club>
Date: Sat, 18 Nov 2017 14:46:54 +0200
Subject: [PATCH 2/3] Don't insert newlines to generated HTML.
MastoFE doesn't like them.
---
lib/pleroma/web/common_api/utils.ex | 4 ++--
test/web/common_api/common_api_utils_test.exs | 2 +-
test/web/twitter_api/twitter_api_test.exs | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 21b6226b1..7cce77b10 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -54,14 +54,14 @@ defmodule Pleroma.Web.CommonAPI.Utils do
"<a href=\"#{href}\" class='attachment'>#{shortname(name)}</a>"
_ -> ""
end)
- Enum.join([text | attachment_text], "<br>\n")
+ Enum.join([text | attachment_text], "<br>")
end
def format_input(text, mentions, tags) do
Phoenix.HTML.html_escape(text)
|> elem(1)
|> Formatter.linkify
- |> String.replace("\n", "<br>\n")
+ |> String.replace("\n", "<br>")
|> add_user_links(mentions)
# |> add_tag_links(tags)
end
diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs
index a159c0835..f6a7da9ed 100644
--- a/test/web/common_api/common_api_utils_test.exs
+++ b/test/web/common_api/common_api_utils_test.exs
@@ -11,6 +11,6 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
res = Utils.add_attachments("", [attachment])
- assert res == "<br>\n<a href=\"#{name}\" class='attachment'>Sakura Mana – Turned on by a Se…</a>"
+ assert res == "<br><a href=\"#{name}\" class='attachment'>Sakura Mana – Turned on by a Se…</a>"
end
end
diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs
index 8698686ad..06ecd9e75 100644
--- a/test/web/twitter_api/twitter_api_test.exs
+++ b/test/web/twitter_api/twitter_api_test.exs
@@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
{ :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
- assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<script></script><br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
+ assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<script></script><br>This is on another line. #2hu #epic #phantasmagoric<br><a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
assert get_in(activity.data, ["object", "type"]) == "Note"
assert get_in(activity.data, ["object", "actor"]) == user.ap_id
assert get_in(activity.data, ["actor"]) == user.ap_id
From 31e4277ba5a2a793a0bc94f5d7682a48349583a3 Mon Sep 17 00:00:00 2001
From: eal <eal@waifu.club>
Date: Sat, 18 Nov 2017 15:25:22 +0200
Subject: [PATCH 3/3] Don't add summary if empty.
---
.../web/twitter_api/representers/activity_representer.ex | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/pleroma/web/twitter_api/representers/activity_representer.ex b/lib/pleroma/web/twitter_api/representers/activity_representer.ex
index 3fbeb86ba..b17013d87 100644
--- a/lib/pleroma/web/twitter_api/representers/activity_representer.ex
+++ b/lib/pleroma/web/twitter_api/representers/activity_representer.ex
@@ -135,8 +135,9 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenter do
tags = activity.data["object"]["tag"] || []
possibly_sensitive = Enum.member?(tags, "nsfw")
- content = if activity.data["object"]["summary"] do
- "<span>#{activity.data["object"]["summary"]}</span><br>#{content}</span>"
+ summary = activity.data["object"]["summary"]
+ content = if !!summary and summary != "" do
+ "<span>#{activity.data["object"]["summary"]}</span><br />#{content}</span>"
else
content
end